Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 09:06
Behavioral task
behavioral1
Sample
читы.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
читы.exe
Resource
win10v2004-20240508-en
General
-
Target
читы.exe
-
Size
102KB
-
MD5
58174445e23753c941d39dc0453ac348
-
SHA1
40e3a9047c49cbae6818297adcd03896d28364c2
-
SHA256
1e5034d37e7751fb4039157219aee679bf76a8d3b0185a86c0d2255477a58171
-
SHA512
523ef9adae27b83d87166be13e87944d3816cad08103b65ae2c964bf8828c0c949030e9e967d56b2bf40bba5b9466f8e4d21ccc220892c5f9365e2dd221fe072
-
SSDEEP
1536:oBFpc8Z5dGYzabvawh+/C6vSX/QOcy/WPPqUs/uoDjSBSc7UtYVL:oa85dGCabvaw4/moOcy/R/1W0cgteL
Malware Config
Extracted
xworm
19.ip.gl.ply.gg:65468
speed-wheat.gl.at.ply.gg:65468
XWorm V5.2:123
-
Install_directory
%AppData%
-
install_file
Delta.exe
Signatures
-
Detect Xworm Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2060-1-0x0000000000EE0000-0x0000000000F00000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\Delta.exe family_xworm behavioral1/memory/1180-37-0x00000000012F0000-0x0000000001310000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2452 powershell.exe 2444 powershell.exe 2860 powershell.exe 2576 powershell.exe -
Drops startup file 2 IoCs
Processes:
читы.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Delta.lnk читы.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Delta.lnk читы.exe -
Executes dropped EXE 3 IoCs
Processes:
Delta.exeDelta.exeDelta.exepid process 1180 Delta.exe 876 Delta.exe 2856 Delta.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
читы.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Delta = "C:\\Users\\Admin\\AppData\\Roaming\\Delta.exe" читы.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exetaskmgr.exepowershell.exeчиты.exepid process 2860 powershell.exe 2576 powershell.exe 2452 powershell.exe 2620 taskmgr.exe 2620 taskmgr.exe 2444 powershell.exe 2620 taskmgr.exe 2060 читы.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 2620 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
читы.exepowershell.exepowershell.exepowershell.exetaskmgr.exepowershell.exeDelta.exeDelta.exeDelta.exedescription pid process Token: SeDebugPrivilege 2060 читы.exe Token: SeDebugPrivilege 2860 powershell.exe Token: SeDebugPrivilege 2576 powershell.exe Token: SeDebugPrivilege 2452 powershell.exe Token: SeDebugPrivilege 2620 taskmgr.exe Token: SeDebugPrivilege 2444 powershell.exe Token: SeDebugPrivilege 2060 читы.exe Token: SeDebugPrivilege 1180 Delta.exe Token: SeDebugPrivilege 876 Delta.exe Token: SeDebugPrivilege 2856 Delta.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid process 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
читы.exepid process 2060 читы.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
читы.exetaskeng.exedescription pid process target process PID 2060 wrote to memory of 2860 2060 читы.exe powershell.exe PID 2060 wrote to memory of 2860 2060 читы.exe powershell.exe PID 2060 wrote to memory of 2860 2060 читы.exe powershell.exe PID 2060 wrote to memory of 2576 2060 читы.exe powershell.exe PID 2060 wrote to memory of 2576 2060 читы.exe powershell.exe PID 2060 wrote to memory of 2576 2060 читы.exe powershell.exe PID 2060 wrote to memory of 2452 2060 читы.exe powershell.exe PID 2060 wrote to memory of 2452 2060 читы.exe powershell.exe PID 2060 wrote to memory of 2452 2060 читы.exe powershell.exe PID 2060 wrote to memory of 2444 2060 читы.exe powershell.exe PID 2060 wrote to memory of 2444 2060 читы.exe powershell.exe PID 2060 wrote to memory of 2444 2060 читы.exe powershell.exe PID 2060 wrote to memory of 1908 2060 читы.exe schtasks.exe PID 2060 wrote to memory of 1908 2060 читы.exe schtasks.exe PID 2060 wrote to memory of 1908 2060 читы.exe schtasks.exe PID 2184 wrote to memory of 1180 2184 taskeng.exe Delta.exe PID 2184 wrote to memory of 1180 2184 taskeng.exe Delta.exe PID 2184 wrote to memory of 1180 2184 taskeng.exe Delta.exe PID 2184 wrote to memory of 876 2184 taskeng.exe Delta.exe PID 2184 wrote to memory of 876 2184 taskeng.exe Delta.exe PID 2184 wrote to memory of 876 2184 taskeng.exe Delta.exe PID 2184 wrote to memory of 2856 2184 taskeng.exe Delta.exe PID 2184 wrote to memory of 2856 2184 taskeng.exe Delta.exe PID 2184 wrote to memory of 2856 2184 taskeng.exe Delta.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\читы.exe"C:\Users\Admin\AppData\Local\Temp\читы.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\читы.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2860
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'читы.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Delta.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2452
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Delta.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2444
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Delta" /tr "C:\Users\Admin\AppData\Roaming\Delta.exe"2⤵
- Creates scheduled task(s)
PID:1908
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2620
-
C:\Windows\system32\taskeng.exetaskeng.exe {9A5AE5AF-AECA-4007-B5F0-1C4C022A808D} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Users\Admin\AppData\Roaming\Delta.exeC:\Users\Admin\AppData\Roaming\Delta.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1180
-
-
C:\Users\Admin\AppData\Roaming\Delta.exeC:\Users\Admin\AppData\Roaming\Delta.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:876
-
-
C:\Users\Admin\AppData\Roaming\Delta.exeC:\Users\Admin\AppData\Roaming\Delta.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2856
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
102KB
MD558174445e23753c941d39dc0453ac348
SHA140e3a9047c49cbae6818297adcd03896d28364c2
SHA2561e5034d37e7751fb4039157219aee679bf76a8d3b0185a86c0d2255477a58171
SHA512523ef9adae27b83d87166be13e87944d3816cad08103b65ae2c964bf8828c0c949030e9e967d56b2bf40bba5b9466f8e4d21ccc220892c5f9365e2dd221fe072
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7RJ30SFF6C8VLZXYVG3Q.temp
Filesize7KB
MD52193ed7685c275d6d15011a19ad32f56
SHA11829ef942a6552558fe1649a5ed9433f03473bd5
SHA256f910cf82754eb19f99d045f43ec98a8c1c19aa77524f7ce889b035416b2bb3a4
SHA512df4a7b035c233ac59f7fd9089073a398fb016530d5c55877c0c6b127516694b15ac8cd7369ed23ff468992f8beed08c2c2eca219554363cf736a8ad7a1e61c3e